Iyer,

Thanks for the help.

You wrote :

The default value is 1 megabyte (MB) or 1000000 bytes. If the maximum size is reached, the auditing process stops. Use transaction SM18 to delete old audit log files.

Question ->What do you mean by the auditing process stops? Does the system creates another file of same size after it reaches to max file size? Does SM18 know which files to delete from OS level?

Kindly suggest steps to execute briefly.

Thanks,

Regards,

Pranav

The audit files are located on the individual application servers. You define the name and location of the files in a profile parameter, rsau/local/file.When an event occurs that is to be audited, the system generates a corresponding audit record or audit message, and writes it to the file.

SAP systems maintain their audit logs on a daily basis. The system does not delete or overwrite audit files from previous days; it keeps them until you manually delete them using SM18.

There is no new file created, you archive the files from the application server folder where it is stored or you delete old files. And yes SM18 deletes audit files which are more than n number days old as per your specifications.

> Total Questions: 56 (45 unresolved)

Julius

You got the wrong person.

We already discussed this in the past.

Iyer,

Thanks for the information.

Just a last question-

You wrote:

"There is no new file created, you archive the files from the application server

folder where it is stored or you delete old files."

If the file reaches its max size (example 2GB or 1GB depending on whatever is defined in the

parameter) what happens? Please advise.

Thanks

Regards,

PT.

Iyer,

I do not see the parameter you mentioned in RZ11 : rsau/local/file

However, I do see following parameters.

rsau/SQL-Audit/filesize

rsau/SQL-Audit/filename

rsau/SQL-Audit/logdir

We are on SQL Server 8.0 and running ECC 6.0

Please advise.

Regards,

PT.

Hello Pranav,

The parameter rsau/local/file is obsolete in versions after 4.6C and can be left out. However, I suggest you refer the OSS note 539404 as it answers all your questions and even further more. I have pasted the link below to help your search:

Link: [539404|https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=539404]

Regards,

Subbu

I was refering to the fact that you have 54 unresolved questions with this account (not the other one).

The most likely reason for this is that you could have found the answer via a simple search, hence people people are not giving you compleete step-by-step answers as this is a duplicated effort which waste's their time, known as "spoon feeding".

Please follow-up on your questions and use the search.

Cheers and all the best for the new year 2009.

Julius

Julius

Again same thing we are going over again.

I only have one account and always provide the feed back.

We are having tight deadlines and could not find any good old posting on SDN for my question.

OSS notes has bad reputation since 2.X (take my word for it)

Thanks,

From

PT.

> OSS notes has bad reputation since 2.X (take my word for it)

Then it is my word against yours...

Lets take a closer look at an example:

From the thread =>

The "PT" user =>

> Total Questions: 7 (4 unresolved)

From the thread =>

The "PT" user =>

> Total Questions: 56 (45 unresolved)

In both cases for both users, the server logs show that the same question is coming from exactly the same location close to <removed_by_moderator> ( <removed_by_moderator> to be precise).

I think you should add <removed_by_moderator> , the search, and learning to use OSS in the correct way, to your new years resolutions.

Come on PT! Clean up your mess!

Julius

Edited by: Julius Bussche on Dec 29, 2008 8:17 PM

Julius

Agreed

They are mine.

But Guess what I only see few questions wen I click on my questions link on upper right hand link.

Thanks

From

PT.

Those are probably the first 5 questions, on Page 1 of 12 Pages ......

> If the file reaches its max size (example 2GB or 1GB depending on whatever is defined in the

> parameter) what happens? Please advise.

It depends.

Either it starts a new file with a suffix added to the end of the file name (which includes the date in the naming convention already), or the log stops. That the log stops is a security feature (one which is less worse, than being replaced by new entries).

Which release are you on? And which operating system?

Cheers,

Julius

Yes, I do see them now.

My apology.

I never realized that they were getting accumulated as unresolved.

For some of them, I did not get answer so I did not update them.

I will take care of it.

Thanks for the notice

From,

PT.

____________________________________________________

Please take note that the more information you provide with the question, will make it more probable that knowledgable people will answer the part which you are having a problem with.

Failing to do so, results in links from help.sap.com and google searches (which you could have found yourself) and you don't get your answer, resulting in unresolved threads.

I understand (and sympathize with you) based on one of your previous posts that the SAP implementation on your end did not leave you with much documentation to work with. But that does not help us either when trying to help you.

If you add more relevant information, then I am sure you will get more relevant answers.

Thanks for starting the clean up,

Julius

We are on ECC 6.0

Windows 2003

Please advise.

Thanks,

From

PT.

Hi PT,

Which part of my answer does not work for you?

Cheers,

Julius